Control that earns an auditor's trust.
Bombalyx sits in your release path, so we treat security as a first-class feature — not a checkbox. Here's how your data and your rollouts stay safe.
Encryption everywhere
TLS 1.3 in transit and AES-256 at rest. Flag payloads are signed end to end so the edge can verify what it serves.
SSO & granular RBAC
SAML SSO, SCIM provisioning, and per-environment roles. Production changes can require a second approver.
Isolated edge mesh
Evaluation runs on regional nodes with no customer data co-mingling. Business plans can pin residency by region.
Signed audit trail
Every flag change, approval, and rollback is timestamped, signed, and exportable for SOC 2 and change management.
Data residency
Choose where evaluation events are processed and stored — EU, UK, or US — to satisfy your compliance posture.
Resilient by design
SDKs cache the last known good ruleset, so flags keep resolving even if the control plane is briefly unreachable.
Built to the standards your customers ask about.
Need our security documentation or have a questionnaire to complete? Request access and we'll work through it with you under NDA.
- UK GDPR & EU GDPR compliant
- CCPA compliant
- SOC 2-aligned controls
- ISO 27001-aligned practices
- Independent penetration testing
- Encryption in transit & at rest